Endpoint
Authentication
This endpoint uses JWT authentication via a signed upload URL token, not Bearer token authentication. The JWT token must be included in the query string as thetoken parameter.
Query Parameters
Signed JWT token authorizing the upload. Generated by the Panel.
JWT Payload
The JWT token must contain:The UUID of the server
Optional unique identifier for one-time use enforcement
Request Body
Multipart form data with file uploads.One or more files to upload
Target directory path (relative to server root)
Response
Returns204 No Content on success.
Example Request
Behavior
- Multiple files can be uploaded in a single request
- Files are written to the specified directory
- Parent directories are created automatically if they don’t exist
- Existing files with the same name are overwritten
- Upload size is limited by the
upload_limitconfiguration (default: 100 MB) - JWT tokens can be marked as one-time use and will be invalidated after the first upload
- Ignored files (
.pteroignore) cannot be uploaded
Rate Limiting
Uploads are subject to Wings’ general rate limiting configuration. Very large or numerous uploads may be throttled.Error Responses
400 Bad Request
400 Bad Request
Invalid multipart form data or missing files
401 Unauthorized
401 Unauthorized
403 Forbidden
403 Forbidden
File is on the ignore list or path traversal attempt
413 Payload Too Large
413 Payload Too Large
File exceeds upload_limit configuration
500 Internal Server Error
500 Internal Server Error
Failed to save file (disk full, permission error, etc.)
JWT Token Generation
Upload tokens are typically generated by the Pterodactyl Panel and passed to the client. The token should:- Include the
server_uuidclaim - Have a short expiration time (recommended: 5-15 minutes)
- Optionally include a
unique_idfor one-time use
Source Reference
Implementation:router/router_server_files.go (postServerUploadFiles function)